Securing Mobile App Development with Compliance Aware CI/CD Pipelines in Government
DOI:
https://doi.org/10.15680/IJCTECE.2024.0703007Keywords:
Mobile CI/CD Pipelines, Government Mobile Applications, Compliance-Aware DevOps, Secure Mobile Deployment, iOS and Android Build Automation, Release Governance Frameworks, Audit-Ready CI/CD Systems, Secure Release ManagementAbstract
Government mobile applications should undergo a high level of regulatory controls, security baseline and release governance that is often not readily implemented in a traditional CI/CD pipeline. The given research suggests a compliance-conscious CI/CD design that is specifically designed to address mobile apps that are deployed in government and other settings of public sectors, where traceability, controlled releases, and verifiable security are obligatory. The proposed architecture integrates secure code signing with environment specific configuration management with provisioning automation to avoid misconfiguration in development, staging and production. It has integrated constant security habits by using automated statical and dependency exploration, secret recognition, and artifact integrity assurance and generates evidence that can be ingested in investigations without reducing the speed of conveyance. A release gating layer that is based on policies implements governance rules like mandatory approvals, segregation of responsibilities and risk-based promotion policies before builds are allowed to move to channels of distribution. The framework also enforces the auditable deployment of both iOS and Android, builds provenance, signing events, scan reports, and release decisions are stored in tamper-evident logs. In the real world, it can be seen that it can lead to visible improvements: a reduction in release cycles, the number of deployment failures, and the ability to comply with compliance requirements at times of high demand on the service to the population (e.g. periods of enrollment). The framework allows government teams to scale mobile delivery at the same time by aligning DevOps automation with regulatory controls to ensure security assurance and accountability of release. The paper concludes by having useful recommendations of how the adoption can be introduced such as the suggested controls, patterns of pipelines and operational concerns that can be applied to maintain compliance in the long term
References
1. Google Cloud / DevOps Research and Assessment (DORA), “Accelerate State of DevOps Report 2022,” DORA, Dec. 2022, PDF. Available: https://dora.dev/research/2022/dora-report/2022-dora-accelerate-state-of-devops-report.pdf
2. Google Cloud Blog, “DORA 2022 Accelerate State of DevOps Report now out,” Google Cloud, Oct. 2022. Available: https://cloud.google.com/blog/products/devops-sre/dora-2022-accelerate-state-of-devops-report-now-out
3. DORA, “Accelerate State of DevOps Report 2023,” DORA Research, 2023. Available: https://dora.dev/research/2023/dora-report/
4. Google Cloud Blog, “Announcing the 2023 State of DevOps Report,” Google Cloud, Oct. 2023. Available: https://cloud.google.com/blog/products/devops-sre/announcing-the-2023-state-of-devops-report
5. Paricherla M et al, A. Machine learning techniques for accurate classification and detection of intrusions in computer network. Bulletin of Electrical Engineering and Informatics. 2023;12(4):2340-2347. doi:10.11591/eei.v12i4.4708
6. The White House, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (M-23-16),” Jun. 9, 2023, PDF. Available: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security.pdf
7. OpenSSF, “OpenSSF Announces SLSA Version 1.0 Release,” Open Source Security Foundation, Apr. 19, 2023. Available: https://openssf.org/press-release/2023/04/19/openssf-announces-slsa-version-1-0-release/
8. U.S. Cybersecurity and Infrastructure Security Agency (CISA), “CISA, NSA, and Partners Release New Guidance on Securing the Software Supply Chain,” Nov. 09, 2023. Available: https://www.cisa.gov/news-events/alerts/2023/11/09/cisa-nsa-and-partners-release-new-guidance-securing-software-supply-chain
